Legal issues arising from the RIAA's lawsuits of intimidation brought against ordinary working people, and other important internet law issues. Provided by Ray Beckerman, P.C.

Friday, November 14, 2008

Duke University tells RIAA that it will no longer forward pre-litigation 'settlement letters' if RIAA can't show evidence of actual transfers of files

According to a report in p2pnet.net, Duke University has told the RIAA that it will no longer forward the RIAA's 'early settlement' letters to its students unless the RIAA submits 'evidence that someone actually downloaded from that student', and said that 'if the RIAA can’t prove that actual illegal behavior occurred, then we’re not going to comply':

Duke University to RIAA: put up or shut up

p2pnet news view | RIAA News:- Duke University has joined the growing list of schools balking at following Vivendi Universal, EMI, Warner Music and Sony BMG’s RIAA sue ‘em all instructions.

Put up or shut up, Duke University for VP for student affairs Larry Moneta ... has told Vivendi Universal, EMI, Warner Music and Sony BMG’s RIAA, in effect.

[Ed. note. While it is good news that a university is requiring the RIAA to put up or shut up, the forwarding -- or not forwarding -- of letters is pretty insignificant. What I want to know is this: 'When the RIAA comes knocking with its Star Chamber, ex parte, 'John Doe' litigation to get the students' identities, is the University going to go to bat for the students and fight the litigation on the ground that it's based on zero evidence, and on the ground that the students weren't given prior notice and an opportunity to be heard?'. -R.B.]

16 comments:

Anonymous
said...

If Duke really wants to end the whole affair, it can simply assign IPs dynamically and not keep logs of who has what IP. Any college that places a strong value on free speech would want to do something like this anyway. -yt

The statement that our unlicensed investigator MediaSentry downloaded infringing material from this IP address at this time should hardly be compelling. For starters, it isn't even illegal for MediaSentry to perform these downloads since they're being paid to do exactly that by the copyright holders through the RIAA.

Providing of an alleged downloaded MP3 audio file is hardly evidence either. Who knows where it came from, or if it qualifies as an infringing work.

A complete capture of all download packets along with the MP3 file is also far less than absolute proof. Who knows how the packets were captured, if they were altered, if the times are correct, and how well the unknown packet-capture software actually works.

Of course this all goes back to MediaSentry once more who don't qualify as illegal downloads in the first place.

This man sees MediaSentry as a bunch of goofs and scam artists selling The Emperor's New Clothes (a work out of copyright) to their ignorant masters. Of course they don't ever want their methods investigated, or their personnel deposed. The RIAA isn't nearly as technically savvy as they pretend - Carlos L. included. They don't understand that they're paying big bucks for a few free downloaded files and some monkey smart enough to hit the Print Screen key on occasion. The reason that the evidence never shows up is that it never properly exists. This is why hard drive forensic examinations are required because there is no admissible "evidence" otherwise. Even with that examination all it can actually "prove" is that, at most, some music files are on a hard drive and that filesharing software with a given user name now exists. Actual distribution has to be invented.

Has Duke, like other universities, been given IP addresses and timestamps that are clearly bogus insomuch as they don't map to any user on the system at the time specified? If so then Duke should question *every* IP address that does actually map to some user since that could be equally wrong.

So this man calls the question: What evidence would actually be sufficient?

Anonymous above has it correct. Don't keep logs that you're not required to keep.

Duke gets what the courts often don't when approving the RIAA's ex parte applications. When the RIAA demands action on the basis of downloads performed by their authorized agent, Duke realizes those downloads are not evidence of infringement. The "making available" theory no longer flies at Duke.

The real question, now, is how far Duke will press that point when the ex parte subpoenas start coming in.

The Common Man Speaking: You claim the RIAA doesn't know how MediaSentry actually works. What evidence do you have that (a) MediaSentry, (b) the RIAA attorneys, and (c) the record companies don't know what's going on here?

I think the RIAA knows what's going on but believes current legal efforts advance its goals by creating disincentive for P2P use. That the numbers belie this claim is irrelevant, because they see no better option.

#1 Anonymous and Common Man Speaking, while not keeping these logs sound like an easy solution it would not work. These types of logs are stored so that the various IT personal can have an understanding of what is going on with the network. We have many things to deal with besides copyright issues. Performance, security, viruses are daily issues for us and the ability to link an MAC or IP back to a PC or user is apart of that. Our networks are too large and we have too many computers connected to it that we do not control, to monitor everything in real time. Logging is unfortunately a necessity for us. We also do not keep the logs for any longer than we realistically need too. When you are dealing with the size SAN arrays (drive storage) we are dealing with, drive space is actually expensive and a premium.

What the RIAA needs to understand is we never intended for these logs to be used in a court of law. We do not have redundant logging system that hash checks the logs or encrypt them to verify integrity; we also do not log a lot of systems in real time but in snap shots. Many of our logs are not cross referenced to look for discrepancies. Depending on the structure of the institution, you may have several different departments involved with various standards.

Unfortunately, from my perspective, the solution is for us [Universities] to stop acting like ISP and providing students with internet access, but instead to just provide the infrastructure so that they can get their internet service from who ever they please. Another option is to separate the students off our main network and setup an external separate company from our selves to deal with these issues. Acting like an ISP just puts us in too many really bad positions.

Also everyone should keep in mind that Universalities receive two different types of notices from the RIAA. The first and most common is the stock DMCA notice, which the RIAA has admitted is a totally automated system prone to errors. The second is the subpoena. Most universities treat the DMCA notices as a disciplinary issue (i.e. Loss of network access for a period of time, required to attend a class on copyrights, etc), but typically never actually investigate if a copyright volition had actually occurred. I am pretty sure it is these types of notices Duke is talking about. Basically they are going to stop punishing their students just because the RIAA says they did it. When it comes to the subpoena, we only have two chooses. Give them the information or file a motion to quash. Once the student is sued, it is out of are hands and there is typically no disciplinary actions or judgment of the validity on our part.

Re "while not keeping these logs sound like an easy solution it would not work":

The problem for innocent defendants in these cases (and others) is that universities retain enough data to (inaccurately) answer the one dangerous question: "Who was using IP address ~ on date and time ~?"

You claim it's necessary for universities to retain this information, but when last checked many universities don't (or don't much of the time or don't for very long). The question is, how important is anonymous internet use compared with IT staff desires.

2: The RIAA doesn't truly care how accurate your information actually is. As has been demonstrated time and again they just want a name – any name – to extort. Even when computers they've insisted were the ones involved in the illegal acts proved completely clean to detailed forensic examinations, they concoct wild theories about file sharing programs installed on never seen external drives that left no traces on the main disc or registry. Or that there has been unproven spoliation of the evidence because it had to be there, and wasn't found. And when a dorm room contains multiple inhabitants, it's give us a name, any name, and we'll take it from there. Their flimsy evidence never has to stand up an any court of law since the cases never get that far, and you are the first cog in the chain that allows them to commit this damage on tens of thousands of people by admitting that you have any discoverable logs at all.

Maybe when students start suing their universities for improperly identifying them to the RIAA due to faulty logs and investigative procedures those universities will finally start feeling enough pain to stop these subpoenas where they should be stopped.

(*The problem for innocent defendants in these cases (and others) is that universities retain enough data to (inaccurately) answer the one dangerous question: "Who was using IP address ~ on date and time ~?" *)

As I said in previous post, we have reasons for it and how long (not all of which are determined by IT, some of it is legal, polices set from above, etc). It is not just us wanting to log and monitor stuff, just to do it.

Can we actually say who was using the IP? No the most we can say is this computer or this username was using it. The only way to actually know is to physically witness the person sitting at the computer. I would love to be called to the stand and say that in a court of law and I hope one day someone gets a chance.

(* You claim it's necessary for universities to retain this information, but when last checked many universities don't (or don't much of the time or don't for very long). *)

Actually that is precisely what I claimed in my post, that we don’t store much of it and typically not for very long. The question of not have it really comes down to the University not having a full picture of what information is where and what can be linked with what, something which is quite common in our dysfunctional world.

(* The question is, how important is anonymous internet use compared with IT staff desires. *)

The very nature of how computer networks work prevents true anonymous network usage, plus we do not have just Internet usage on our network (hence the problem). Network traffic is just network traffic until it hits our edge router and out onto the Internet. If we where to take the internet out of the picture (or as I suggested in my post, physically separate it) would you still feel that we should be giving people unfiltered anonymous accesses to everything on the private network?

It depends on the system in question and what requirements it has. Access to student records and financial information is typically stored for 7+ years and if a student accesses one of these systems, that alone can be enough for us to tag an IP back to a username during a certain period of time. Others are often compliance issues, that while the law may not spell out that we have to log something; it does require us to be able to prove we are in compliance, which in turns leads to us to logging stuff. The DMCA safe harbor provision is one such case. The issue is not just what is in our routers, DHCP server etc. It is the fact that everywhere you go on our network has the possibility of leaving a foot print or crumb.

(*Maybe when students start suing their universities for improperly identifying them to the RIAA due to faulty logs and investigative procedures those universities will finally start feeling enough pain to stop these subpoenas where they should be stopped. *)

I actually suggest something like that on this blog. Thanks to the courts declaring MAC addresses as directory information according to the letter of the law, we are failing to disclose that to students as a part of FERPA. If enough Universities get sued, maybe congress will change a lot of the crappy laws. There is/was actually a law floating around congress to shift even more of the burden of investigating and controlling P2P onto the Universities, which is only going to make matters worse. Not sure what its current status of it is.

The very nature of how computer networks work prevents true anonymous network usage, plus we do not have just Internet usage on our network (hence the problem). Network traffic is just network traffic until it hits our edge router and out onto the Internet. If we where to take the internet out of the picture (or as I suggested in my post, physically separate it) would you still feel that we should be giving people unfiltered anonymous accesses to everything on the private network?

Okay, I'm sitting in my dorm room with 253 of my closest buds. We've all got computers and we all want to connect with each other so I've got a little Linksys NATting wireless router plugged into the wall network connection with a MAC impersonation address that doesn't correspond to any of the MAC addresses on any our computers. I also have a lot of hubs, and a bunch of us are wireless. One of us is detected making files available by MediaSentry.

To this man, we may not be anonymous to each other but we're sure anonymous to you out at your office in the campus data center on the other side of the campus.

You can't even pin us down to 254 individual students or 254 MAC addresses (which can be all changed the next day). You only know (maybe) that this dorm room was tracked back to by a supplied IP address and timestamp and might be able to give the RIAA the MAC address of the Linksys.

In every case no in some cases yes, for example if the student in question happens to run remote helpdesk request software, then their local IP, MAC address, the port that the NAT device is plugged into, among other things helpful to help desk staff are put into the help ticket. If we are subpoenaed, that information is fair game to the RIAA. Also it is possible to detect most SOHO NAT devices because they have such poor implementations. That does not mean we can see past them, but we can see they are there and take action against them.

Most students, who are running a P2P application, do not run it alone. They start it up and while they are downloading are doing other things on their computer. These things may end up leaving a trace.

University, while they have always provided Internet service to their students it has only been recently that we have begun to think about our selves as ISP. Partly thanks to the RIAA. In the past student PCs have been treated as just another computer on the Enterprise network. An ISP network is setup totally different from Enterprise networks, and in some cases uses totally different equipment than we do. There are many things we do on an Enterprise network that an ISP would never think about doing, for example deep packet inspection for viruses (well excluding Comcast). ISP don’t worry about viruses as much as we do because your connection is isolated, unlike that in most dorms, where you are plugged into a switch and can see and talk to every other computer on the same subnet. If your PC gets infected you can spread it to everyone else, which is one of the reasons we want to have the ability to contact you.

There is one University I am aware of that makes you run a client application to connect to the network. It forwards all kinds of things about your computer onto them. Its job is to make sure you have all your security patches in place; virus scanner is up to date. You have a firewall etc. Since none of this information is consider an educational record, it is fair game for the RIAA. People should also be worried about FOIA.

Something else to consider for any students we may have reading this blog. Remember that some (NOT ALL) Universities are run by professors who have worked their way up to very powerful policy making positions. These people often have patents and copyrights that they make money off of and feel very strongly about and support the RIAA. Ray, you may want to consider adding a part to your website to list those schools who are at least trying to fight back.

If you're actually investigating a lot of log files on different servers, it sounds like (a) the subpoena is an undue burden, and (b) you now know what logs are a threat to student privacy and can act accordingly. To start with, tell your students what information you log, and for how long.

I don't know what you mean by referencing FOIA. Perhaps you can explain?

Remember that the university is selling a service to its students. If you as an IT department roll over on your students, you are lowering the quality of your university. In that case, some students will not come, leave, or never give back to the university later. And rightly so. I imagine you already have this in mind, though. :)

The subpoenas are unduly burdensome. Of course the RIAA feels we should just have this information at the touch of our fingers, and some schools have actually done that to ease the situation, other still have to mount this expatiation, since the subpoenas requests we look everywhere. Thus far the courts have been deaf to our situation.

As for trying to inform and educated students, it is an active and ongoing issue and I know a lot of schools now include a lot of this information during orientation. There is also a lot of discussion going, not just inside institutions but among institutions about what to do. Opinions very all over the place (some in favor of the students and others not), one place that will help is just getting the students involved and have them demand to know. Also as you have suggested, hit us where it counts, our pocket books and let us know why.

FOIA is Freedom of Information Act. While most people think of it as a federal law, most states also have such a law. The key to it is, one knowing the information exists and two knowing how to ask for it. There is a lot of information out there that many people just assume is confidential but can in fact be requested. Information may be protected under various laws (FERPA, HIPPA, etc) when they are in filling cabinet A, but that same information is not protected when it is in cabinet B.

I am a business lawyer in New York City, practicing at Ray Beckerman, P.C.. The purpose of this site is to collect and share information about the wave of sham "copyright infringement" lawsuits started by four large record companies, and other areas of concern to digital online copyright law, and to internet law in general. -Ray Beckermanbeckermanlegal.com(Attorney Advertising)

"[T]he Court is concerned about the lack of facts establishing that Defendant was using that IP address at that particular time. Indeed, the [complaint] does not explain what link, if any, there is between Defendant and the IP address. It is possible that Plaintiff sued Defendant because he is the subscriber to IP address .... As recognized by many courts, just because an IP address is registered to an individual does not mean that he or she is guilty of infringement when that IP address is used to commit infringing activity." -Hon. Barry Ted Moskowitz, Chief Judge, S.D. California. January 29, 2013, AF Holdings v. Rogers"The complaints assert that the defendants – identified only by IP address – were the individuals who downloaded the subject “work” and participated in the BitTorrent swarm. However, the assumption that the person who pays for Internet access at a given location is the same individual who allegedly downloaded a single sexually explicit film is tenuous, and one that has grown more so over time." - Hon. Gary R. Brown, Magistrate Judge, E.D.N.Y. May 1, 2012, K-Beech v. Does 1-37"The concern of this Court is that in these lawsuits, potentially meritorious legal and factual defenses are not being litigated, and instead, the federal judiciary is being used as a hammer by a small group of plaintiffs to pound settlements out of unrepresented defendants."-Hon. S. James Otero, Dist. Judge, Central Dist. California, March 2, 2007, Elektra v. O'Brien, 2007 ILRWeb (P&F) 1555"The University has adequately demonstrated that it is not able to identify the alleged infringers with a reasonable degree of technical certainty...[C]ompliance with the subpoena as to the IP addresses represented by these Defendants would expose innocent parties to intrusive discovery....[T]he Court declines to authorize discovery and quashes the subpoena as to Does # 8, 9, and 14" -Hon. Nancy Gertner, Dist. Judge, Dist. Massachusetts, November 24, 2008, London-Sire Records v. Does 1-4"[C]ounsel representing the record companies have an ethical obligation to fully understand that they are fighting people without lawyers... that the formalities of this are basically bankrupting people, and it's terribly critical that you stop it...." -Hon. Nancy Gertner, Dist. Judge, Dist. Massachusetts, June 17, 2008, London-Sire v. Does 1-4"Rule 11(b)(3) requires that a representation in a pleading have evidentiary support and one wonders if the Plaintiffs are intentionally flouting that requirement in order to make their discovery efforts more convenient or to avoid paying the proper filing fees. In my view, the Court would be well within its power to direct the Plaintiffs to show cause why they have not violated Rule 11(b) with their allegations respecting joinder. [I]t is difficult to ignore the kind of gamesmanship that is going on here.....These plaintiffs have devised a clever scheme... to obtain court-authorized discovery prior to the service of complaints, but it troubles me that they do so with impunity and at the expense of the requirements of Rule 11(b)(3) because they have no good faith evidentiary basis to believe the cases should be joined." -Hon. Margaret J. Kravchuk, Magistrate Judge, District of Maine, January 25, 2008, Arista v. Does 1-27, 2008 WL 222283, modified Oct. 29, 2008"[N]either the parties' submissions nor the Court's own research has revealed any case holding the mere owner of an internet account contributorily or vicariously liable for the infringing activities of third persons.....In addition to the weakness of the secondary copyright infringement claims against Ms. Foster, there is a question of the plaintiffs' motivations in pursuing them..... [T]here is an appearance that the plaintiffs initiated the secondary infringement claims to press Ms. Foster into settlement after they had ceased to believe she was a direct or "primary" infringer." -Hon. Lee R. West, District Judge, Western District of Oklahoma, February 6, 2007, Capitol v. Foster, 2007 WL 1028532"[A]n overwhelming majority of cases brought by recording companies against individuals are resolved without so much as an appearance by the defendant, usually through default judgment or stipulated dismissal.....The Defendant Does cannot question the propriety of joinder if they do not set foot in the courthouse." -Hon. S. James Otero, Central District of California, August 29, 2007, SONY BMG v. Does 1-5, 2007 ILRWeb (P&F) 2535"Plaintiffs are ordered to file any future cases of this nature against one defendant at a time, and may not join defendants for their convenience."-Hon. Sam Sparks and Hon. Lee Yeakel, District Judges, Western District of Texas, November 17, 2004, Fonovisa v. Does 1-41, 2004 ILRWeb (P&F) 3053"The Court is unaware of any other authority that authorizes the ex parte subpoena requested by plaintiffs."-Hon. Walter D. Kelley, Jr., District Judge, Eastern District of Virginia, July 12, 2007, Interscope v. Does 1-7, 494 F. Supp. 2d 388, vacated on reconsideration 6/20/08"Plaintiffs contend that unless the Court allows ex parte immediate discovery, they will be irreparably harmed. While the Court does not dispute that infringement of a copyright results in harm, it requires a Coleridgian "suspension of disbelief" to accept that the harm is irreparable, especially when monetary damages can cure any alleged violation. On the other hand, the harm related to disclosure of confidential information in a student or faculty member's Internet files can be equally harmful.....Moreover, ex parte proceedings should be the exception, not the rule."-Hon. Lorenzo F. Garcia, Magistrate Judge, District of New Mexico, May 24, 2007, Capitol v. Does 1-16, 2007 WL 1893603"'Statutory damages must still bear some relation to actual damages." Hon. Michael J. Davis, Dist. Judge, U.S.District Court, Dist. Minnesota, January 22, 2010, Capitol Records v. Thomas-Rasset"[T]his court finds that defendants' use of the same ISP and P2P networks to allegedly commit copyright infringement is, without more, insufficient for permissive joinder under Rule 20. This court will sever not only the moving defendants from this action, but all other Doe defendants except Doe 2." -Hon. W. Earl Britt, District Judge, Eastern District of North Carolina, February 27, 2008, LaFace v. Does 1-38, 2008 WL 544992"[L]arge awards of statutory damages can raise due process concerns. Extending the reasoning of Gore and its progeny, a number of courts have recognized that an award of statutory damages may violate due process if the amount of the award is "out of all reasonable proportion" to the actual harm caused by a defendant's conduct.[T]hese cases are doubtlessly correct to note that a punitive and grossly excessive statutory damages award violates the Due Process Clause....."Hon. Marilyn Hall Patel, Dist. Judge, N.D. California, June 1, 2005, In re Napster, 2005 US DIST Lexis 11498, 2005 WL 1287611"[P]laintiffs can cite to no case foreclosing the applicability of the due process clause to the aggregation of minimum statutory damages proscribed under the Copyright Act. On the other hand, Lindor cites to case law and to law review articles suggesting that, in a proper case, a court may extend its current due process jurisprudence prohibiting grossly excessive punitive jury awards to prohibit the award of statutory damages mandated under the Copyright Act if they are grossly in excess of the actual damages suffered....."-Hon. David G. Trager, Senior District Judge, Eastern Dist. New York, November 9, 2006, UMG v. Lindor, 2006 U.S. Dist. LEXIS 83486, 2006 WL 3335048"'[S]tatutory damages should bear some relation to actual damages suffered'....(citations omitted) and 'cannot be divorced entirely from economic reality'". -Hon. Shira A. Scheindlin, Dist. Judge, Southern Dist. New York, August 19, 2008, Yurman v. Castaneda"The Court would be remiss if it did not take this opportunity to implore Congress to amend the Copyright Act to address liability and damages in peer to peer network cases.... The defendant is an individual, a consumer. She is not a business. She sought no profit from her acts..... [T]he damages awarded in this case are wholly disproportionate to the damages suffered by Plaintiffs." -Hon. Michael J. Davis, District Judge, Dist. Minnesota, September 24, 2008, Capitol v. Thomas"If there is an asymmetry in copyright, it is one that actually favors defendants. The successful assertion of a copyright confirms the plaintiff's possession of an exclusive, and sometimes very valuable, right, and thus gives it an incentive to spend heavily on litigation. In contrast, a successful defense against a copyright claim, when it throws the copyrighted work into the public domain, benefits all users of the public domain, not just the defendant; he obtains no exclusive right and so his incentive to spend on defense is reduced and he may be forced into an unfavorable settlement." US Court of Appeals, 7th Cir., July 9, 2008, Eagle Services Corp. v. H20 Industrial Services, Inc., 532 F.3d 620"Customers who download music and movies for free would not necessarily spend money to acquire the same product.....RIAA’s request problematically assumes that every illegal download resulted in a lost sale."-Hon. James P. Jones, Dist. Judge, Western Dist. Virginia, November 7, 2008, USA v. Dove